Personal Privacy in an Information Society. The Fragility of The Medical-Care Relationship


The physician-patient relationship is an inherently intrusive one in that the patient who wants and needs medical care must grant the doctor virtually unconstrained discretion to delve into the details of his life and his person. As a practical matter, because so much information may be necessary for proper diagnosis and treatment, no area of inquiry is excluded. In addition to describing the details of his symptoms, the patient may be asked to reveal what he eats, how much he drinks or smokes, whether he uses drugs, how often he has sexual relations and with whom, whether he is depressed or anxious, where and how long he has worked, and perhaps what he does for recreation. Moreover, he is expected to submit to as much direct observation and recording of what is observed as his condition suggests and as the confines of the medical-care setting permit. As the Executive Director of the American Medical Record Association observed to the Commission, "a complete medical record [today] may contain more intimate details about an individual than could be found in any single document."21

Like all records, the medical record is in part a memory aid. It serves to remind the physician of conditions discovered, drugs prescribed, tests and treatments administered, and the charges levied. Earlier in this century, when most medical professionals were family physicians in solo practice, the typical medical record was simply a small ledger card with entries showing the dates of the patient's visits, the medications prescribed, and the charges. The physician was usually able to file the intimate details of a patient's medical or emotional condition in the "safe crevices of his mind."22 In contrast, a modern hospital medical record may easily run to a hundred pages. The records of a family physician may still hold information on ailments and modes of treatment, but also now note the patient's personal habits, social relationships, and the physician's evaluation of the patient's attitudes and preferences, often in extensive detail.

A great many factors contributed to this marked transformation in medical record-keeping practices. The information needs of third-party users have already been mentioned. Other factors include the progress of medical knowledge and the professional specialization it has fostered; the propensity of the American public to move around, making the medical record the principal instrument for assuring continuity of medical care; and the increasing use of medical records in judicial proceedings, especially in malpractice suits, where the content of a medical record is often the physician's only real defense.23 Today's physician, in short, must learn more and remember more about his patients than his predecessors. To aid memory and to meet the demands for precise documentation, he incorporates more and more of what he learns about patients in their medical records.

Many argue that the efficacy of the medical-care relationship is directly related to the patient's confidence that the information recorded in the course of the relationship will go no further. As one witness told the Commission,

Patients would be reluctant to tell their physicians certain types of information which they need to know in order to render appropriate care, if patients did not feel that such information would remain confidential.24

This may well be true; certainly it has the ring of common sense. If it is true, however, one can only conclude that patients are poorly informed about the information flows that often stem from their relationships with medical professionals.

Physicians have recognized their duty to keep information about patients to themselves since time immemorial. The following clause of the Hippocratic Oath merely acknowledged a principle already rooted in the ethos of ancient Greece:

Whatever, in connection with my professional practice, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken abroad, I will not divulge, as reckoning that all such should be kept secret.25

Physicians still subscribe to that oath, but in practice modern society requires of them frequent and sometimes substantial departures from it. The ethical code of the American Medical Association, for example, acknowledges that physicians must abandon their duty of confidentiality when required by law to disclose information about a patient, and when in the physician's judgment, he must do so in order to protect the welfare of the patient or of the community.26 Yet, even these major exceptions do not adequately convey the idea of the outward flow of information generated within the context of the medical-care relationship today. They take no note, for instance, of the breadth of many of the authorization statements patients are now routinely asked to sign or of the complex balances that must be struck in deciding when the welfare of the community should take precedence over the welfare of a patient. As a set of ethical precepts, moreover, they do not reach beyond the intimate physician-patient relationship which in today's world constitutes only one segment of the medical-care relationship.

In making these observations, the Commission is aware that the physician's ethical duty to protect the records he keeps about his patients is also established in law. Nineteen States have regulations, statutes, or case law recognizing medical records as confidential and limiting access to them.27 In 21 States, a physician's license may be revoked for willful betrayal of professional secrets.28 These statutes, however, do not generally apply to medical-care providers other than physicians, and although the codes of ethics of most allied health professions reaffirm the principle of confidentiality, the codes can impose only a. moral, not a legal, obligation. Moreover, although a few courts have recognized that a patient has a cause of action against the physician who discloses information about him without his permission, as Westin notes, there is no reported U.S. case in which a physician or hospital had to compensate a patient for an injury resulting from breach of confidentiality.29

More important, the typical statutory prohibition against the disclosure of medical-record information by medical professionals is focused on protecting the professional, not the patient. It prevents the professional from being compelled to testify or to produce records about a patient in court proceedings and before grand juries, and in the 43 States that have some form of testimonial privilege, the protections have gradually been extended from oral communications to records such as medical reports, X-rays, and laboratory tests. With this broadening of the privilege has also come an increasing number of exceptions to it, justified in large part by the belief that the privilege has all too frequently been invoked merely to conceal information that would be neither embarrassing to the patient, nor countertherapeutic, nor destructive of the physician-patient relationship if it were disclosed.30

The most important thing to remember about the testimonial privilege is that it has virtually nothing to do with normal, everyday use and disclosure of records maintained by a medical-care provider. The discretion to disclose or not to disclose, in most circumstances, resides solely with the provider. The courts by and large uphold that autonomy.31

It is true that physicians customarily obtain a patient's authorization before revealing information about him to someone who is not in a position to compel such disclosure legally, but evidence presented to the Commission suggests that this safeguard, too, is weak. As described in Chapters 5 and 8, an investigation by a team of television reporters in late 1975 prompted a Denver, Colorado, grand jury to look into the local activities of a Chicago firm that specialized in obtaining medical-record information on individuals without authorization. The firm, then called "Factual Service Bureau" and now known as "Inner-facts," provides a variety of investigative services, but its speciality appears to have been the surreptitious acquisition of medicalrecord information from hospitals and physicians. Insurance claims investigators and lawyers used this information for a variety of purposes: to estimate how much their companies should reserve to cover particular claims; to assure that a claimant has not exaggerated the gravity of an illness or injury or inflated his lost earning capacity; and to detect other fraud. While in many cases they could have obtained the same information through normal channels, some claims personnel apparently felt there were justifiable reasons for avoiding the normal methods of acquiring it. That a firm like Factual Service Bureau could be successful, at least until it came under scrutiny by the Denver grand jury, appears to have been due in no small measure to the laxity of hospital security measures.

In June, 1976, the Denver grand jury received permission of the Colorado court to issue a special report to the Privacy Protection Study Commission. It said in part:

From the evidence, it is clear that the problem with respect to the privacy of medical records in this jurisdiction exists in many other cities and jurisdictions across the nation . . . [However,] the grand jury believes that there is no one, simple law which can be enacted or action taken to prevent future abuses and unlawful activities concerning medical records. Rather, what is needed is a combination of voluntary self-regulation by institutions, health care provi ders, the insurance industry, and the legal profession. Appropriate state and federal laws . . . should be enacted or amended to better accomplish the goal of protecting medical records.32

The Factual Service Bureau case points up a serious weakness in the protections offered by the authorization procedures used by medical-care providers. Nonetheless, it is not the only weakness, or even the most important for the majority of individuals on whom medical-care providers maintain records. Other Commission witnesses described how the form a patient is now routinely asked to sign authorizing the medical-care provider to disclose medical-record information about him is often so broadly worded that the patient, in effect, signs away all control over what is disclosed and what may be done with it thereafter. A noted authority on the confidentiality of psychiatric records told the Commission that knowing or suspecting that their medical records will be reviewed by outsiders keeps many people from seeking treatment for their illnesses, especially when the illness is psychiatric in character.33

An incident that occurred midway in the Commission's work illustrates how intense this concern can be. In 1976, Blue Cross-Blue Shield, in cooperation with the National Institute of Mental Health, the Civil Service Commission, and the American Psychiatric Association, initiated a study to monitor claims and assess the appropriateness of psychiatric services provided to members of the Blue Cross-Blue Shield Federal Employee Benefit Program. The study required a form containing detailed psychiatric information to be submitted along with the standard claim for reimbursement under the program. The outcry was immediate. Claimants feared that the details of their illness and treatment would find their way into Federal personnel files. Phone calls and letters to local public-interest groups, to the press, to the Congress, and to the Privacy Commission caused Blue Cross-Blue Shield to reconsider the need for some of the most objectionable items of information. Bowing to pressure from Congress and the threat of a lawsuit, Blue Cross-Blue Shield has since developed a new reporting form. Meanwhile, however, some unknown number of Federal employees failed to file such claims for fear of losing jobs or security clearances.

One must ask whether such a public outcry would have resulted from a request for detailed information about disorders other than psychiatric ones. Because of the social stigma attached to mental and nervous disorders in our society, even the fact of admission to a psychiatric hospital or disclosure of the name of the attending physician in a general hospital can have untoward consequences for an individual.

The former Chairman of the American Psychiatric Association Task Force on Confidentiality, told the Commission that his colleagues "are all minimizing the amount of information that goes into the chart to protect the patient."34 The Joint Commission on the Accreditation of Hospitals, in recognition of the extraordinary sensitivity of psychiatric records, has recommended special procedures for filing, storing, and providing authorized access to them.35

Psychiatric records are not the only concern, however; other medical records are also considered to be particularly sensitive. In recent years special Federal statutes have been enacted governing the disclosure of medical-record information pertaining to alcohol and drug abuse.36 The National Center for Health Statistics attributes the unreliability of its data on the incidence of venereal disease to physicians' refusal to make the required reports, fearing, for their patients, the social stigma that attaches to these conditions.37 Nor does this exhaust the list of examples. Still others can be found in the growing literature on medical record-keeping practices and problems.38

Moreover, it is not clear that the nature of a patient's condition is the only factor that arouses anxiety about disclosure and its possible consequences. Because of the deference paid to expert opinion in our society, a physician's offhand comment or speculation about a patient can be taken as an authoritative statement by those making non-medical decisions about the patient. A 1974 article in a journal published by the American Medical Association describes a case in which a physician's discharge report to an employer contained a statement that the patient might have difficulty with money.39 Although hardly a medical judgment, the remark permanently limited the individual's opportunities to advance in his firm. The co-director of a women's health center in Los Angeles gave the Commission still another illustration:

The woman was hospitalized for an acute infection. While in the hospital, she was sent from her own room to the X-ray department, some distance away in the hospital. She was given her medical records, sealed in a manila envelope, and told to walk over to the Xray department. On her way to X-ray, curiosity got the best of her and she opened the envelope to have a look at her condition via the medical record. She was astonished to see more information written in her record about the appearance of the friends who came to visit her in the hospital than about her medical condition.40

Whether such information had been or would be disclosed outside the hospital was not clear. Yet, the fact that it was in the record, the fact that it could have been disclosed, and the fact that the patient would normally have no way of knowing it was there, suggest why the medical-care relationship can be an extremely fragile one today.

One tends to forget that a patient usually has no way of knowing what is in a medical record about him, no way of controlling the accuracy or pertinence of the information it contains, and by and large no alternative but to allow others to have access to it when they ask permission to do so. As indicated earlier, consent to the disclosure of medical-record information about oneself is rarely voluntary. Usually the choice is between signing an authorization statement and foregoing a job or some indispensable service or benefit.41 Under such circumstances an authorization can serve as a means of controlling the disclosure of information about oneself but never as a means of giving voluntary consent, and it can only serve as a means of control if the patient knows what it is he is authorizing to be disclosed. He rarely does, however. Just as custom prescribes an ethical duty of confidentiality for the medical-care provider, so also custom prescribes that the patient shall know nothing that is in the medical record except to the extent that the maker of the record chooses to tell him.

There is, of course, little consensus among medical professionals as to whether a patient should be allowed to learn the contents of his medical record and less as to whether he should be able to see and copy it. Forceful arguments for and against were presented in testimony before the Commission. The fears expressed by private-sector physicians and medical-care institutions were not unlike those of their Federal counterparts before the Privacy Act went into effect-fears which, by and large, have not been supported by experience. For example, one of the most commonly cited arguments in opposition to patient access is that it will lead to tremendous numbers of requests for records and thus greatly increase administrative costs while taking clerical and professional time to search for, prepare, and review records. Yet this has not been the case. A representative of the Health Services Administration of the Public Health Service testified that out of a total estimated patient population of five million, requests for records by patients from the Bureau of Medical Services and the Indian Health Service have so far numbered around 3,000.42 The Deputy Assistant Secretary of Defense for Administration provided no data on the numbers of requests for access to records but noted that only 20 requests for correction of medical records were received in a ten-month period by Department of Defense medical facilities.43 The Administrator of St. Elizabeths Hospital, a large federally run psychiatric facility in Washington, D.C., estimated the number of requests for patient access during the first three months after the Privacy Act took effect at about 63.44

Others argue strongly for allowing an individual to have access to a medical record through a licensed physician designated by him, and still others express concern that patient access would have a detrimental effect on the content of the medical record itself. Nonetheless, the Director of the Public Health Service's Bureau of Medical Services told the Commission that the Privacy Act had the positive effect of encouraging physicians to record only information useful for patient care.45

Indeed, in the final analysis, the most persuasive line of reasoning favoring access turned on the concept of authorization. So long as it is thought acceptable, or even necessary, for an individual's past or present medical condition to be taken into account in making non-medical decisions about him, he will be asked to allow others to have access to his medical records or at least some of the information in them. As a practical matter, however, his authorization allowing such access by a third party will be meaningless so long as he does not know, and cannot find out, what is in the records. Both theoretically and practically, authorization is a meaningless procedure unless the individual knows what he is authorizing to be disclosed.

Finally, although much of the preceding discussion is focused on paper records, it is important to recognize that significant changes are occurring, both in the way information is organized in medical records, and in the way medical records are stored and retrieved. The "problem-oriented medical record" is perhaps the most important and widely accepted of recent attempts to standardize medical-record format. It allows all medical professionals involved in an individual's care to enter data and record observations on the same forms in the same manner. The problem-oriented format is adaptable to all medical-care settings from the physician's private office to the long-term chronic disease facility. More important, its standardized format lends itself easily to computerization and it was, in fact, initially developed with that purpose in mind.

Computerization of medical records in contrast to medical-record information is not a common phenomenon today. As hospitals and other larger medical facilities acquire and use computers for business office functions, however, a move toward computerization of the medical record itself becomes almost inevitable. A survey of some 6,000 hospitals conducted by the American Hospital Association in 1975 indicated that approximately 1,500 had in-house computers,46 and the number undoubtedly has increased in the last two years with the advent of mini-computers and the growing experimentation with hospital information systems. Moreover, as Westin has pointed out in a study conducted for the National Bureau of Standards,47 the flow of medical-record information between hospitals and third-party payers is already heavily automated and likely to become more so.

While this study showed that computerization has not yet led to greater collection of information or wider sharing of confidential records than heretofore prevailed in medical practice, it concluded that the creation of large automated information systems poses new problems and opportunities from a privacy protection viewpoint. The problems are centered around the need to spell out the rules under which personnel within a medical-care institution shall have access to all or part of an automated medical record and the necessary levels of physical security for automated records containing especially sensitive information (such as psychiatric records). The opportunities arise from the fact that an automated record can be adapted to a need-to-know policy more easily than a manual record.

These two trends-changing conceptions of the medical record and increasing automation-are important forces behind the Commission's conviction that now is the proper time to establish privacy protection safeguards for medical records that will enhance the integrity, and thus the efficacy, of the medical-care relationship.